Posted: . At: 11:18 AM. This was 8 years ago. Post ID: 8423
Page permalink. WordPress uses cookies, or tiny pieces of information stored on your computer, to verify who you are. There are cookies for logged in users and for commenters.
These cookies expire two weeks after they are set.

Filter for a specific time frame in Wireshark.

  1. Filter for a certain time frame in Wireshark
  2. Find IPv4 statistics
  3. List all packets of a certain type that are on a certain port
  4. Spoof ping packets on a LAN with Hping3
  5. Filter time in epoch time format
  6. Filter by packet size in bytes

*___________________________________________________________________________________________________________________________*

Filter for a certain time frame in Wireshark

To filter for a specific time frame in Wireshark, there is the frame.time filter. Used as in the example below, this will show all packets that have arrived in the time frame of Aug 12, 2015, 14:50:10 to Aug 12, 2015, 14:51:10. This is useful when drilling down to a specific conversation.

Here is our completed example time frame filter.

(frame.time >= "Aug 12, 2015 14:50:10") && (frame.time <= "Aug 12, 2015 14:51:10")

This is very easy. To get this working, select any packet in the Packet List. Expand the Frame section in the Packet Details pane. Right-click on Arrival Time and select Prepare a Filter > Selected. This will appear in the display filter field:

frame.time == "Oct 15, 2012 16:36:01.009638000"

Edit this display filter. Change the “==” to “>=” and change the time to the earliest time you want your display filter to show. For example:

frame.time &gt;= "Oct 15, 2012 16:00:00"

Now right-click on Arrival Time again and select Prepare a Filter > And Selected. You will now have something like this:

(frame.time &gt;= "Oct 15, 2012 16:00:00") &amp;&amp; (frame.time == "Oct 15, 2012 16:36:01.009638000")

Now edit the second part of the filter. Change “==” to “<=” and change the time to the latest time you want your display filter to show. For example:

(frame.time >= "Oct 15, 2012 16:00:00") && (frame.time <= "Oct 15, 2012 17:00:00")

Click Apply. This example display filter will show all frames arriving between 16:00 and 17:00 local time on October 15th.

This is another example.

(frame.time >= "Sep 23, 2014 12:32:50") && (frame.time <= "Sep 23, 2014 12:33:00")

This will only show a few packets depending on network traffic.

To filter all packets for a series of network packets from a PC using the Firefox web browser, use this filter.

http.user_agent contains "Firefox"

This simple filter is used to filter all packets for a series of network packets to and from specific IP addresses.

ip.src_host==10.2.3.9 and ip.dst_host==91.189.94.12 and (tcp || udp)

This works very well in Wireshark. This also filters for all packets that are TCP or UDP protocol.

Filtering for a certain time-frame in Wireshark.
Filtering for a certain time frame in Wireshark.

Find IPv4 statistics

Go to Statistics -> IPv4 Statistics -> IP Protocol Types to find a count of all UDP and TCP connections in the Wireshark capture. Statistics -> IPv4 Statistics -> Source and Destination IP addresses are precisely what it sounds like and will list all Source and Destination IP addresses. The Statistics -> UDP Multicast Streams option does exactly what it says it does. Go to Statistics DNS to see very useful DNS networking information.

List all packets of a certain type that are on a certain port

It is possible to list all packets that are destined for a certain port.

tcp.port == 8892 || udp.port == 8892

I had an SSH server listening on port 8892 and I connected to it on my phone. Then a flurry of packets was captured in Wireshark. SSH packets are encrypted, but this shows that it is possible to capture data sent to a certain port. Plus it is possible to see the source and destination ports.

Spoof ping packets on a LAN with Hping3

It is possible to spoof IP addresses using Hping3 on Linux. I managed to send pig packets over a network, they appear to come from the IP address 192.168.1.3, and are sent to the Linux machine at 192.168.1.2.

┌──[jason@11000000.10101000.00000001.00000010][~]
└──╼  ╼ $ sudo hping3 -S 192.168.1.2 -p 8892 -a 192.168.1.3 -c 6
HPING 192.168.1.2 (enp0s25 192.168.1.2): S set, 40 headers + 0 data bytes
len=44 ip=192.168.1.2 ttl=64 DF id=0 sport=8892 flags=SA seq=0 win=64240 rtt=3.9 ms
len=44 ip=192.168.1.2 ttl=64 DF id=0 sport=8892 flags=SA seq=1 win=64240 rtt=7.8 ms
len=44 ip=192.168.1.2 ttl=64 DF id=0 sport=8892 flags=SA seq=2 win=64240 rtt=3.6 ms
len=44 ip=192.168.1.2 ttl=64 DF id=0 sport=8892 flags=SA seq=3 win=64240 rtt=3.5 ms
len=44 ip=192.168.1.2 ttl=64 DF id=0 sport=8892 flags=SA seq=4 win=64240 rtt=3.3 ms
len=44 ip=192.168.1.2 ttl=64 DF id=0 sport=8892 flags=SA seq=5 win=64240 rtt=7.1 ms
 
--- 192.168.1.2 hping statistic ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 3.3/4.9/7.8 ms

This is a very neat networking trick.

Viewing sent and received packets in Wireshark.
This is what it looks like in Wireshark.

Filter time in epoch time format

it is also possible to filter for certain packets using the epoch time format. This is very easy to do. Click a packet and expand the frame section

Viewing frame information about a network packet in Wireshark.
Viewing frame information about a network packet in Wireshark.

The Epoch Time option is what we need. Right-click this and copy the value of the entry to get the epoch time value.

frame.time_epoch == 1676957751.204800334

Filter by packet size in bytes

It is possible also to filter by the size in bytes. This would also be a very useful Linux tip for sure.

frame.len == 340

A most useful trick.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.